Anti-virus firm Avast reportsPDF that criminals are exploiting a critical hole in the TimThumb WordPress add-on to deploy malicious code on a large scale. Avast says that it blocked more than 2,500 infected sites in September and anticipates a similar number in October.
The attackers install the professional BlackHole exploit framework on the affected servers. The framework then tries to infect visitors to the WordPress blog with malicious code by trying out various vulnerabilities in the visitor's browser and installed plug-ins.

Avast hasn't disclosed what kind of hole in TimThumb is being exploited by the attackers. The hole is probably a vulnerability that was exposed three months ago which was already being actively exploited at that time; even one of the developers was affected. Since the attackers continue to find numerous vulnerable WordPress installations, it appears that many admins have not become aware of the danger yet, possibly because they don't even know that they have installed the vulnerable script on their server.